University takes measuresagainst e-mail offenders

Peter Kauffner

The University plans to formalize its Internet use guidelines soon, despite the fact that University students are relatively well-behaved online.
“The students from the University of Minnesota should be complimented for their behavior. We have had very few cases of abuse,” said Frank Grewe, manager of Internet Services for Academic Computing and Information Technologies at the University.
“The use of e-mail at the University is very heavy, in the range of millions of pieces a day,” said Yvonne Carlton, chairwoman of the Acceptable Use Policy Committee and manager of data security at central computing.
Carlton’s committee is currently working to formalize the University’s rules on e-mail use. A draft of the new rules was made available for public comment on Nov. 14. The comment period will run until Dec. 18.
“Up until now we haven’t really had a good formal policy and it has, for the most part, been based on complaints in which there is really gross evidence that an account has been abused,” Grewe said.
E-mail abuse encompasses violations of federal law such as forging posts and soliciting for pyramid schemes, as well as less clearly defined offenses such as harassment and off-topic posting.
“Harassment-type complaints are referred to the University Police for investigation,” Grewe said.
“We have a three strikes, you’re out’ policy,” Grewe added. The first two violations result in the suspension of the violator’s Internet privileges. The third offense results in the termination of the offending account.
“What people (who have had their accounts suspended) generally say is that someone must have hacked into their account and done it. In that situation we tell them that of course it is their responsibility to keep their account password secure,” Grewe said.
To reopen an account after a first offense, the student or staff member must contact the systems staff and is told the reason the account was suspended. To reopen an account that has been closed a second time, the account holder must sign an agreement promising not to repeat the offense.
After a third offense, action against the student or staff member is taken before the Judicial Affairs Department. “We have had only a couple of cases that have gone that far,” Grewe said.
Academic Computing does not restrict the quantity of messages an individual may send, but it does investigate when a complaint is made that an individual has posted off-topic material to a newsgroup. Complaints are accepted by [email protected]
“We don’t really have a limit on how much a particular individual may participate,” Grewe said.
Posting the same message to 20 newsgroups, for example, would be considered an example of unacceptable behavior, Grewe said.
Forging e-mail is one of the easiest forms of abuse to commit. In a forged message, the header, which contains origin and routing information, is modified to make the message appear as if it came from someone other than the actual sender. Under federal law, this constitutes wire fraud and carries a sentence of up to five years in prison.
“Nowadays, anyone who uses Netscape can forge e-mail,” said Zaphiris Christidis, a computer security expert with IBM’s Watson Research Center in New York. Messages created with Netscape, a popular World Wide Web browser, will contain the word “Mozilla” in the header.
If computing services staff suspect that a particular message is forged, they will look at the header lines “NNTP Posting Host,” which indicates a message’s source system, and “Message ID.” This will usually tell investigators from what system the message originated, and even which modem or lab computer was used. Academic Computing keeps a message log that can be used to verify whether a particular message passed through the University’s e-mail system.
“We may not be able to prove who did (send a particular message), but we can show that you didn’t, which is usually what people want anyway. Proving who did is always a lot harder than proving who didn’t,” Grewe said.
Users of Popmail, the University’s e-mail program, can check the header of a message they receive by saving it to a disk and reading it as a text file. Netscape also has an option that allows users to view a message header.
A student who gets a message from Operations staff or any other source that asks for a password or other account information should report it immediately.
“Nobody, absolutely nobody, asks for a password, ever. Requests for information in e-mail should never be honored. If we call somebody at home, we tell them to call us back so they know that they are calling a University telephone and who it is,” Grewe said.